Hi. I am using the version v4.0.0.0 release. Regarding win_registry_events - I have been trying to get registry change detection to work. I want to monitor some additional keys. I have tried test cases monitoring/creating/deleting registry keys in areas where is is supposed to monitor and I never see the changes logged as win_registry_events. I must be missing something. I am running Windows 10 Pro, US-EN, 22H2, 19045.2486. For the sake of simplicity, I want to monitor HKEY_CURRENT_USER\Keyboard LayoutHKEY_CURRENT_USER\Keyboard Layout. I have followed the pattern but it does not show a win_registry_events in the log.

@Keith Bozek thanks for writing to us. Assuming that you have already put in place registry event filters as specified in osquery.conf file here: https://github.com/eclecticiq/osq-ext-bin/blob/v4.0.0.0/osquery.conf, refer this json section: "plgx_event_filters" -> "win_registry_events" -> "target_name" -> "include" -> "values" Add a filter string as below, then you should see desired registry event.

"\\REGISTRY\\USER\\*\\Keyboard Layout\\*"

Sample snippet below how the filter will look in the filters json:

Thank you for such a quick response. I did a reset of my osquery clearing the database and logs. I replaced the original osqurey.conf file and used the one from the link with the one entry above(see attached). I then tried to create a new registry value. I ahve attached the simple scripts and the reg key export just from that are of the hive. I expected to see a win_registry_events entry in the osqueryd.results.log.

yes, you will need to add a scheduled query on win_registry_events. default conf published does not have it on win_registry_events.

Thanks. I will give that a try.

Did that work @Keith Bozek?

Hi,

A “good” query interval is subjective and is dependent on use case.